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(54) Key management device/method/program, recording medium, reproducing device/method, 
recording device, and computer-readable, second recording medium storing the key 
management program for copyright protection 



(57) The key management device manages keys re- 
spectively arranged on nodes forming an N-layer tree 
structure. Each group of keys composed of a key on the 
/V th layer and all its superordinate keys is assigned to a 
different reproducing device. Upon receipt of informa- 
tion designating a key group, the key selecting unit in- 
validates each key in the key group, and selects non- 
invalid keys immediately subordinate to each invalid 
key. The content encrypting unit encrypts a content us- 



ing a content key. The ciphertext generating unit gener- 
ates ciphertexts by encrypting the content key using 
each selected key. The selected key list generating unit 
generates a list of the selected keys used to encrypt the 
content key. The key management device records the 
encrypted data and the ciphertexts in a recording medi- 
um. The reproducing devices reads the recording me- 
dium, obtains the content key by decrypting s ciphertext 
using a key identified in the list. 
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Description 

BACKGROUND OF THE INVENTION 

(1) Field of the Invention 

[0001 ] The present invention relates to a key manage- 
ment device for managing groups of keys pre-stored in 
a plurality of reproducing devices for protecting copy- 
rights on created contents, such as movies. The present 
invention also relates to a recording medium of which 
data is recorded by the key management device and a 
reproducing device for reproducing the data read from 
the recording medium or outputted from the key man- 
agement device for copyright protection. 

(2) Description of the Related Art 

[0002] In recent years, as recording mediums in- 
crease in storage capacity, sales of recording mediums, 
such as DVDs, that stores created contents, such as 
movies, in digital form have been a thriving business. In 
such a business, it is required that reproducing devices 
reproduce or copy copyrighted contents only under au- 
thorization from copyright holders to protect such con- 
tents. 

[0003] To protect created contents from unauthorized 
duplication, there is a technique, for example, in which 
digital contents are stored after encrypted with encryp- 
tion keys, so that only reproducing devices having cor- 
responding decryption keys are able to decrypt the en- 
crypted contents. 

[0004] I n this case, the decryption keys that reproduc- 
ing devices have need to be strictly protected in order 
not to expose the keys to the third parties. However, they 
may be a case where an unauthorized user finds out a 
decryption key accidentally or intentionally. Once an un- 
authorized user takes possession of a decryption key 
stored in a reproducing device, he may maliciously use 
the decryption key to decrypt and handle contents, 
thereby violating copyrights on the contents. For the 
sake of copyright protection, it is necessary to invalidate 
decryption keys stored in the reproducing device that 
have been used without proper authorization. 
[0005] A similar problem lies in keys stored in repro- 
ducing devices for the broadcasting media, such as sat- 
ellite broadcasting and multicasting via the Internet. In 
the case of satellite broadcasting, when a reproducing 
device receives an encrypted broadcasting program, 
the program is decrypted with a decryption key stored 
in the reproducing device and reproduced. Here, a de- 
cryption key stored in a reproducing device need to be 
invalidated when a subscription contract allowing the re- 
producing device to subscribe pay channels is can- 
celed. One example of a technique for invalidating an 
individual key stored in reproducing devices is a crypto- 
graphic key distribution system disclosed in Japanese 
Laid-Open Application No. HEI 11 (1999)-187013. 



[0006] In this cryptographic key distribution system, 
however, is disadvantageous in the following respect. 
When each reproducing device has N keys, that is a 
group of keys arranged on one path in a hierarchal tree 

5 structure having N layers, it is necessary to generate 
2N-3 of ciphertexts in order to invalidate the group of 
keys stored in one reproducing device. In addition, re- 
producing devices other than that particular reproducing 
device are required to sequentially decrypt A/-1 cipher- 

10 texts atmaximum inorderto obtain the content key used 
to decrypt the contents. 

SUMMARY OF THE INVENTION 

15 [0007] In view of the above problems, a first object of 
the present invention is to provide a key management 
device or a reproducing device which requires a key 
management device to generate a fewer number of ci- 
phertexts to invalidate keys stored in a reproducing de- 

20 vice and requires a reproducing device to decrypt a min- 
imum number of ciphertexts to obtain a content key. 
[0008] Further a second object of the present inven- 
tion is to provide a key management device for restoring 
keys that have been once invalidated back to a usable 

25 state. 

[0009] The first object of the present invention is 
achieved by a key management device for managing 
keys, the keys being grouped into a plurality of key 
groups each of which is assigned to one of a plurality of 
30 reproducing devices for decrypting encrypted data to re- 
produce the data, the key management device including 
a key storage unit for storing the keys, wherein each key 
is associated with a node forming at least one N-layer 
tree structure (N is 2 or a natural number greater than 
35 2), and each key group includes keys associated with a 
different group of nodes, each group of nodes being a 
set of nodes located on a different path, in each tree 
structure, connecting a different node on the AA h layer 
and a node on the highest layer; and an encryption in- 
40 formation generating unit for, upon receipt of information 
designating a key group assigned to one of the repro- 
ducing devices, (1) invalidating each key in the desig- 
nated key group, (2) selecting non-invalid keys being im- 
mediately subordinate to each invalid key from among 
45 keys in the key groups that are assigned to the other 
reproducing devices and each of which includes one or 
more invalid keys, and (3) generating encryption infor- 
mation that includes (i) ciphertexts corresponding to a 
content key that is used to encrypt the data, the cipher- 
50 texts being generated by encrypting the content key us- 
ing each selected key, and (ii) identification information 
for identifying the selected keys, and wherein each re- 
producing device stores N keys assigned thereto, se- 
lectively decrypts one of the ciphertexts that is decryp- 
ts table using a key identified by the identification informa- 
tion to obtain the content key, and decrypts the data us- 
ing the thus obtained content key to reproduce a con- 
tent. 
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[0010] With this construction, when a group of keys 
stored in one reproducing device has been invalidated, 
other reproducing devices than that particular reproduc- 
ing device are still able to decrypt one of the ciphertexts 
using a key stored therein, and thus to obtain a content 5 
key. 

[0011] Here : the encryption information generating 
unit may include: a data generating unit which generates 
the data by encrypting the content using the content key; 
an invalid key accepting unit which accepts the informa- 10 
tion designating the key group assigned to the one re- 
producing device; a key selecting unit which invalidates 
each key in the designated key group, and selects the 
non-invalid keys being immediately subordinate on a dif- 
ferent path to each invalid key except for the invalid key is 
residing on the /V th layer; a ciphertext generating unit 
which generates the ciphertexts by encrypting the con- 
tent key using each selected key; and a selected key list 
generating unit which generates a list used to identify 
the selected keys. - 20 

[0012] With this construction, when a group of keys 
stored in one reproducing device has been designated 
to be invalidated, the key management device encrypts 
a content key in a manner to generate ciphertexts that 
are decryptable to the other reproducing devices than 25 
that specific reproducing device. Since data is encrypt- 
ed with the content key, the other reproducing devices 
than that specific reproducing device are able to decrypt 
one of the ciphertexts to obtain the content key, and thus 
to decrypt the data with the content key. On the contrary, 30 
the reproducing device having a group of keys invalidat- 
ed is not able to obtain the content key. 
[0013] Here : the key storage unit may include a key 
management information storage unit which stores 
each key's (i) identifier for identifying the key, (ii) parent 35 
key identifier for identifying its parent key being imme- 
diately superordinate to the key, (iii) key state informa- 
tion showing whether the key is a selected key being 
used to generate one of the ciphertexts, an invalid key, 
or a non-used key, and (iv) key data, and wherein the 40 
invalid key accepting unit accepts identifiers for each 
key in the designated key group, and the key selecting 
unit (1 ) updates the key state information so as to inval- 
idate a key of which identifier matches any of the des- 
ignated identifiers, and (2) updates the key state infor- 
mation so as to select a key (i) of which identifier does 
not match any of the designated identifiers, (ii) of which 
parent key is invalidated, and (iii) that is neither invalided 
nor selected. 

[0014] With this construction, each key's key state in- 50 
formation included in the key management information 
is updated in a manner to invalidate a group of keys to 
be invalidated with reliability. 

[0015] Here : in the key management information, the 
key on the highest layer may have a specific value as 55 
its parent key identifier, and the key selecting unit may 
select the key of which parent identifier has the specific 
value as a selected key unless the key is invalidated. 



[0016] With this construction, in an initial state, the 
key management device encrypts a content key into ci- 
phertext with the key residing on the top layer of a tree 
structure.. 

[0017] The second object of the present invention is 
achieved by the above key management device, where- 
in the encryption information generating unit may further 
include: a restoring key accepting unit which accepts in- 
formation designating a key group that has been inval- 
idated and to be restored: and a restoring unit which (a) 
selects, from among the keys in the designated key 
group to be restored, a key of which parent key being 
immediately superordinate to the key and a brother key 
having the same parent key are both invalidated, and 
(b) changes a subordinate key of the thus selected key 
in the designated key group to a non-used key. 
[0018] With this construction, a group of keys that has 
been once invalidated is restored back to a useable 
state. 

[0019] Here, the key storage unit may include a key 
management information storage unit which stores, 
each key's (i) identifier for identifying the key, (ii) parent 
key identifier for identifying its parent key being imme- 
diately superordinate to the key, (iii) key state informa- 
tion showing whether the key is a selected key being 
used to generate one of the ciphertexts. an invalid key, 
or a non-used key, and (iv) key data, wherein the restor- 
ing key accepting unit accepts identifiers for each key 
in the designated key group to be restored, and the re- 
storing unit updates the key state information so as to 
(1 ) select, from among keys having an identifier that 
matches any of the designated identifiers, (i) the key on 
the highest layer when its immediately subordinate key 
residing on a different path is currently selected, or (ii) 
a key on the second layer or below when its brother key 
having the same parent key is all invalidated, (2) change 
to a non-used key a key having an identifier that match- 
es any of the designated identifiers and being subordi- 
nate on the same path to the thus selected key, and (3) 
change to a non-used key a key having an identifier that 
does not match any of the designated identifiers and 
having the thus selected key as its parent key. 
[0020] With this construction, the key management 
device receives identifiers for a group of keys designat- 
ed to be restored so as to update the key management 
information accordingly. 

[0021 ] Here, the key management device may further 
include: a new key accepting unit for accepting the 
number of reproducing devices to which a key group is 
newly assigned; a new key generating unit for generat- 
ing keys which are associated with nodes forming an Al- 
layer tree structure (M is a natural number between 2 
and N inclusive); and a connecting unit for replacing a 
key on the highest layer of the newly generated tree 
structure with a selected key or a non-used key residing 
on the or higher layer of the existing tree 

structure stored in the key recording unit. 
[0022] With this construction, a group of new keys 
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may be assigned to a new reproducing device. 
[0023] Here : the key management device may further 
include a recording unit for recording to a recording me- 
dium the data generated by the data generating unit, the 
ciphertexts generated by the ciphertext generating unit, 
and the selected key list generated by the selected key 
generating unit. 

[0024] With this construction, there is provided a key 
management device that encrypts and writes contents 
onto a recording medium in a manner that the receded 
contents are not decryptable to a reproducing device 
which has been used without proper authorization. 
[0025] Here, the key management device may further 
include a transmitting unit for transmitting to the plurality 
of reproducing devices the data generated by the data 
generating unit, the ciphertexts generated by the cipher- 
text generating unit ; and the selected key list generated 
by the selected key generating unit. 
[0026] With this construction, there is provided a key 
management device that encrypts and transmits con- 
tents in a manner that the transmitted contents are not 
decryptable to a reproducing device which has been 
used without proper authorization. 
[0027] Here, the key management information storing 
unit may store the key management information every 
time it is updated by the key selecting unit, and the key 
storage unit may further include a restoring unit for re- 
storing the key management information back to its ini- 
tial version or any updated version. 
[0028] With this construction, the key management in- 
formation is easily restored back to the state at a point 
in the past. 

[0029] Here, the key storage unit may store L tree 
structures, L being 2 K+1 when the maximum number of 
key groups to be invalidated is set at 2 K . 
[0030] With this construction, the optimal number of 
tree structures is obtained in view of the number of keys 
to be assigned to each reproducing device, the number 
of keys to be stored by the key management device, and 
the numbers of ciphertexts to be generated. 
[0031] Alternatively, the first object is achieved by a 
recording medium to be reproduced by one of a plurality 
of reproducing devices each of which stores a key 
group, wherein each key in the key group being as- 
signed to a node forming an A/-layer tree structure (N is 
2 or a natural number greater than 2) together with 
nodes with which keys stored in the other reproducing 
devices are associated, and the keys in the key group 
being associated with a group of nodes that is a set of 
nodes located on a path, in each tree structure, connect- 
ing a node on the /V th layer and a node on the highest 
layer, the recording medium including: a data area which 
stores data generated by encrypting a content using a 
content key; a ciphertext area which stores at least one 
ciphertext generated by encrypting the content key us- 
ing a selected key, the selected key being identical to 
one of the keys stored in each reproducing device ex- 
cept for a specifically designated reproducing device; 



and a selected key list area which stores information 
identifying the selected key used for encrypting the con- 
tent key. 

[0032] With this construction, data recoded in the re- 
5 cording medium is reproducible only by the reproducing 
devices other than a reproducing device that has been 
misused. 

[0033] Alternatively, the first object of the present in- 
vention is achieved by a reproducing device for decrypt - 

10 ing encrypted data to reproduce the data, the reproduc- 
ing device including: a key group storing unit for storing 
N keys (N is 2 or a natural number greater than 2), 
wherein the N keys are respectively associated with 
nodes forming an AMayer tree structure together with 

15 nodes with which keys stored in other reproducing de- 
vices are associated, and the N keys are associated with 
a group of nodes that is a set of nodes located on a path , 
in the tree structure, connecting a node on the /V th layer 
to a node on the highest layer; a reproduction informa- 

20 tion obtaining unit for obtaining (i) the data by encrypting 
a content using a content key, (it) at least one ciphertext 
generated by encrypting the content key, and (iii) iden- 
tification information for identifying a key used to encrypt 
the content key; a content key decrypting unit for select - 

25 ing a key identified by the identification information from 
the keys stored in the key group storage unit, and de- 
crypting the ciphertext that is decryptable using the thus 
selected key to obtain the content key; and a content 
reproducing unit for decrypting the data using the thus 

30 obtained content key to reproduce the content. 

[0034] With this construction, there is provided a re- 
producing device capable of reproducing obtained data 
using one of the keys stored therein. 
[0035] Here, the reproducing device may further in- 

35 elude a read unit for reading from a recording medium 
(i) the data generated by encrypting the content using 
the content key, (ii) the ciphertext generated by encrypt- 
ing the content key, and (iii) the information for identify- 
ing the key used to decrypt the content key, and passing 

40 the read result to the reproduction information obtaining 
unit. 

[0036] With this construction, data recoded in the re- 
cording medium is decrypted and reproduced only by 
authorized reproducing devices. 

^5 [0037] Here, the reproducing device may further in- 
clude a receiving unit for receiving (i) the data generated 
by encrypting the content using the content key, (ii) the 
ciphertext generated by encrypting the content key, and 
(iii) the information for identifying the key used to decrypt 

50 the content key, and passing the received result to the 
reproduction information obtaining unit. 
[0038] With this construction, broadcasted data is re- 
ceived, decrypted and reproduced only by authorized 
reproducing devices. 

55 [0039] Alternatively, the fist object of the present in- 
vention may be achieved by a key management method 
for use in a key management device to manage keys 
stored in a storage area of the key management device, 
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wherein the keys are grouped into a plurality of key 
groups each of which is assigned to one of a plurality of 
reproducing devices : each key is associated with a node 
forming at least one AMayer tree structure (N is 2 or a 
natural number greater than 2), each key group includes 
keys associated with a different group of nodes, each 
group of nodes being a set of nodes located on a differ- 
ent path, in each tree structure, connecting a different 
node on the /V th layer and a node on the highest layer, 
the key management method including: an accepting 
step for accepting information designating a key group 
stored in one of the reproducing devices; a key selecting 
step for (1) invalidating each key in the designated key 
group, and (2) selecting non-invalid keys being immedi- 
ately subordinate to each invalid key from among keys 
in the key groups that are assigned to the other repro- 
ducing devices and each of which includes one or more 
invalid keys; and an encryption information generating 
step for generating encryption information that includes 
(i) ciphertexts corresponding to a content key that is 
used to encrypt the data, the ciphertexts being generat- 
ed by encrypting the content key using each selected 
key, and (ii) identification information for identifying the 
-selected keys, and wherein each reproducing device 
stores N keys assigned thereto, selectively decrypts one 
of the ciphertexts that is decryptable using a key identi- 
fied by the identification information to obtain the content 
key, and decrypts the data using the thus obtained con- 
tent key to reproduce a content. 

[0040] With this method, when a group of keys stored 
in one reproducing device is invalidated, the other re- 
producing devices than that particular reproducing de- 
vice are still able to decrypt one of the ciphertexts with 
a key stored within the reproducing devices. 
[0041] Alternatively, the first object of the present in- 
vention is achieved by a key management program for 
use in a computer to manage keys, the keys being 
grouped into a plurality of key groups each of which is 
assigned to one of a plurality of reproducing devices, 
wherein each key is associated with a node forming at 
least one AMayer tree structure (N is 2 or a natural 
number greater than 2), each key group includes keys 
associated with a different group of nodes, each group 
of nodes being a set of nodes located on a different path, 
in each tree structure, connecting a different node on 
the /V th layer and a node on the highest layer, the pro- 
gram including: an accepting step for accepting infor- 
mation designating a key group stored in one of the re- 
producing devices; a key selecting step for (1) invalidat- 
ing each key in the designated key group, and (2) se- 
lecting non-invaiid keys being immediately subordinate 
to each invalid key from among keys in the key groups 
that are assigned to the other reproducing devices and 
each of which includes one or more invalid keys; and an 
encryption information generating step for generating 
encryption information that includes (i) ciphertexts cor- 
responding to a content key that is used to encrypt the 
data, the ciphertexts being generated by encrypting the 



content key using each selected key, and (ii) identifica- 
tion information for identifying the selected keys, and 
wherein each reproducing device stores N keys as- 
signed thereto, selectively decrypts one of the cipher- 
5 texts that is decryptable using a key identified by the 
identification information to obtain the content key, and 
decrypts the data using the thus obtained content key 
to reproduce a content. 

[0042] With this program, keys assigned to reproduc- 

10 ing devices are managed. 

[0043] Alternatively, the object of the present inven- 
tion is achieved by a computer readable recording me- 
dium for use in a key management device to manage 
keys, the keys being grouped into a plurality of key 

is groups each of which is assigned to one of a plurality of 
reproducing devices, wherein each key is associated 
with a node forming at least one AMayer tree structure 
(N is 2 or a natural number greater than 2), each key 
group includes keys associated with a different group of 

20 nodes, each group of nodes being aset of nodes located 
on a different path, in each tree structure, connecting a 
different node on the A/ th layer and a node on the highest 
layer, the recording medium including: an accepting 
step for accepting information designating a key group 

25 stored in one of the reproducing devices; a key selecting 
step for (1) invalidating each key in the designated key 
group, and (2) selecting non-invalid keys being immedi- 
ately subordinate to each invalid key from among keys 
in the key groups that are assigned to the other repro- 

30 ducing devices and each of which includes one or more 
invalid keys; and an encryption information generating 
step for generating encryption information that includes 
(i) ciphertexts corresponding to a content key that is 
used to encrypt the data, the ciphertexts being generat- 
es ed by encrypting the content key using each selected 
key, and (ii) identification information for identifying the 
selected keys, and wherein each reproducing device 
stores N keys assigned thereto, selectively decrypts one 
of the ciphertexts that is decryptable using a key identi- 

*o tied by the identification information to obtain the content 
key, and decrypts the data using the thus obtained con- 
tent key to reproduce a content. 
[0044] Such a recoding medium is applicable for use 
in a key management device. 

45 [0045] Alternatively the first object of the present in- 
vention is achieved by a system including: a plurality of 
recording devices for recording encrypted data to a re- 
writable recording medium; a plurality of reproducing 
devices for decrypting and reproducing the encrypted 

50 data being recoded in the recording medium; and a key 
management device for managing keys, the keys being 
grouped into a plurality of key groups each of which is 
assigned to the plurality of recording devices and the 
plurality of reproducing devices, wherein the key man- 

55 agement device includes: a key storage unit for storing 
the keys, wherein each key is associated with a node 
forming at least one AMayer tree structure (N is 2 or a 
natural number greater than 2), and each key group in- 
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eludes keys associated with a different group of nodes, 
each group of nodes being a set of nodes located on a 
different path, in each tree structure, connecting a dif- 
ferent node on the AA h layer and a node on the highest 
layer; an encryption information generating unit for, up- 
on receipt of information designating a key group as- 
signed to one of the recording devices and/or one of the 
reproducing devices. (1) invalidating each key in the 
designated key group, (2) selecting non-invalid keys be- 
ing immediately subordinate to each invalid key from 
among keys in the key groups that are assigned to the 
other recording devices and/or the other reproducing 
devices and each of which includes one or more invalid 
keys, and (3) generating encryption information that in- 
cludes (i) at least one ciphertext corresponding to a con- 
tent key that is used to encrypt the data, the ciphertexts 
being generated by encrypting the content key using 
each selected key, and (ii) identification information for 
identifying the selected keys; and an encryption infor- 
mation recording unit for recording the thus generated 
encryption information to the recording medium, each 
recording device includes: a key group storing unit for 
storing N keys, the N keys being associated with nodes 
located on a path, in each tree structure, connecting a 
node on the A/ h layer to a node on the highest layer; a 
content key decrypting unit for reading the encryption 
information from the recording medium , identifying a key 
stored in the key group storing unit using the identifica- 
tion information, and decrypting the ciphertext being de- 
cryptable with the thus identified key to obtain the con- 
tent key; and a content encrypting unit for encrypting a 
content using the thus obtained content key, and record 
the resulting encrypted data to the recording medium, 
and each reproducing device includes: a key group stor- 
ing unit for storing N keys, the A/keys being associated 
with nodes located on a path, in the tree structure, con- 
necting a node on the /V th layer to a node on the highest 
layer; a reproduction information obtaining unit for ob- 
taining the data generated by encrypting the content us- 
ing the content key, the ciphertext generated by encrypt- 
ing the content key, and the identification information for 
identifying the key used to encrypt the content key; a 
content key decrypting unit for selecting a key identified 
by the identification information from the keys stored in 
the key group storage unit, and decrypting the ciphertext 
decryptable using the thus selected key to obtain the 
content key; and a content reproducing unit for decrypt- 
ing the data using the thus obtained content key to re- 
produce the content. 

[0046] With this construction, only authorized recod- 
ing devices are able to encrypt and record obtained con- 
tents using a content key, and only authorized reproduc- 
ing devices are able to decrypt the contents recorded 
as ciphertexts using the content key and reproduce the 
resulting contents. 

[0047] Alternatively, the first object of the present in- 
vention is achieved by a rewritable recording medium 
having data generated by encrypting a content using a 



content key, the data being recorded by a recording de- 
vice storing one of key groups, and read/reproduced by 
a reproducing device storing one of the key groups, 
wherein the key groups together include keys each of 

5 which is associated with a node forming an A/-layer tree 
structure (N is 2 or a natural number greater than 2), 
each key group includes keys associated with a different 
group of nodes, each group of nodes that is a set of 
nodes located on a different path, in the tree structure, 

10 connecting a different node on the /V th layer and a node 
on the highest layer, the recording medium including: a 
ciphertext area for storing at least one ciphertext gener- 
ated by encrypting the content key using a selected key, 
the selected key being identical to a key stored in the 

15 recoding device and a key stored in the reproducing de- 
vice; a selected key area for storing identification infor- 
mation identifying the selected key used for encrypting 
the content key; and a data area for storing data record- 
ed by the recording device, the data being decryptable 

20 using the content key, the content key is obtained by 
decrypting the ciphertext using the key that is stored in 
the reproducing device and selected according to the 
identification information 

[0048] Contents are recoded to such a recording me- 
25 dium only by authorized recording devices and the con- 
tents in such a recording medium are reproducible only 
by authorized reproducing devices. 
[0049] Alternatively, the first object of the present in- 
vention is achieved by a key management device for 
30 managing keys, the keys being grouped into a plurality 
of key groups each of which is assigned to one of a plu- 
rality of recording devices for recording encrypted data 
in a rewritable recording medium, and to one of a plu- 
rality of reproducing devices for decrypting the encrypt- 
35 ed data recorded in the recording medium to reproduce 
the data, the key management device including: a key 
storing unit key storage unit for storing the keys, wherein 
each key is associated with a node forming at least one 
AMayertree structure (N is 2 or a natural number greater 
40 than 2), and each key group includes keys associated 
with a different group of nodes, each group of nodes be- 
ing a set of nodes located on a different path, in each 
tree structure, connecting a different node on the /V th lay- 
er and a node on the highest layer; an encryption infor- 
ms mation generating unit for, upon receipt of information 
designating a key group assigned to one of the repro- 
ducing devices, (1) invalidating each key in the desig- 
nated key group, (2) selecting non-invalid keys being im- 
mediately subordinate to each invalid key from among 
50 keys in the key groups that are assigned to the other 
reproducing devices and each of which includes one or 
more invalid keys, and (3) generating encryption infor- 
mation that includes (i) ciphertexts corresponding to a 
content key that is used to encrypt the data, the cipher- 
55 texts being generated by encrypting the content key us- 
ing each selected key, and (ii) identification information 
for identifying the selected keys; and an encryption in- 
formation recording unit for recording the thus generat- 
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ed encryption information in the recording medium. 
[0050] With this construction, groups of keys as- 
signed to recording devices and reproducing devices 
are managed. 

[0051] Alternatively, the first object of the present in- 
vention is achieved by a recording device for recording 
encrypted data in a rewritable recording medium, the re- 
cording device including: a key group storing unit for 
storing N keys {N is 2 or a natural number greater than 
2), wherein the N keys are respectively associated with 
nodes forming an AMayer tree structure together with 
nodes with which keys stored in other recording devices 
are associated, and the N keys are associated with a 
group of nodes that is a set of nodes located on a path : 
in the tree structure, connecting a node on the AA* 1 layer 
to a node on the highest layer; a content key decrypting 
unit for reading the encryption information from the re- 
cording medium, selecting a key stored in the key group 
storing unit using identification information, and decrypt- 
ing a ciphertext being decryptable with the thus selected 
key to obtain the content key, wherein the recording me- 
dium pre-stores encryption information including at least 
the ciphertext encrypted using the selected key and the 
identification information for identifying the selected key; 
and a content encrypting unit for encrypting a content 
using the thus obtained content key, and record the re- 
sulting encrypted data to the recording medium. 
[0052] With this construction, only authorized record- 
ing devices are able to encrypt a content using a content 
key and record the encrypted content to a recording me- 
dium. 

BRIEF DESCRIPTION OF THE DRAWINGS . 

[0053] These and the other objects, advantages and 
features of the invention will become apparent from the 
following description thereof taken in conjunction with 
the accompanying drawings which illustrate a specific 
embodiment of the invention. 
[0054] In the drawings: 

FIG. 1 is a schematic view showing the construc- 
tions of a key management device and a reproduc- 
ing device according to an embodiment 1 of the 
present invention; 

FIG. 2 is a schematic view showing, in a tree struc- 
ture model, one example of key management infor- 
mation stored in a key management information 
storing unit according to the embodiment 1 ; 
FIG. 3 is a view showing one example of the key 
management information stored in the key manage- 
ment information storage unit according to the em- 
bodiment 1 ; 

FIG. 4 is a view showing one example of the key 
management information that is updated and stored 
in the key management information storage unit ac- 
cording to the embodiment 1 ; 
FIG. 5 is a view showing one example of memory 



contemns recorded to a recording medium by a re- 
cording unit according to the embodiment 1; 
FIG. 6 is a view showing one example of the mem- 
ory contents recorded to a recording medium fol- 
5 lowing the key management information shown in 

FIG. 4; 

FIG. 7 is a view showing one example of key infor- 
mation stored in a key storage unit included in the 
reproducing device according to the embodiment 1 ; 
10 FIG. 8 is a flowchart showing operations for updat- 

ing the key management information according to 
the embodiment 1; 

FIG. 9 is a view showing, in a tree structure model, 
one example of key management information 

15 stored in a key management information storing unit 
included in a key management device according to 
the embodiment 1 of the present invention; 
FIG. 10 is a view showing one example of the key 
management information stored in the key manage- 

20 ment information storage unit according to the em- 

bodiment 2; 

FIG. 11 shows one example of table showing com- 
parisons, of the data included in the key manage- 
ment information according to a different number of 

25 tree structures; 

FIG. 12 is a schematic view showing the construc- 
tions of a key management device and a reproduc- 
ing device according to an embodiment 3 of the 
present invention; 

30 FIG. 13 is a flowchart showing operations conduct- 
ed by the key management device of the embodi- 
ment 3 for restoring keys that have been invalidated 
back to a usable state; 

FIG. 14 is a schematic view schematically showing 
35 the process for assigning groups of keys to new re- 
producing devices; 

FIG. 1 5 is a schematic view showing the configura- 
tion of a key management system according to an 
embodiment 4 of the present invention; 
40 FIG. 16 is a schematic view showing the construc- 
tion of a recording device according to the embod- 
iment 4; and 

FIG. 17 is a schematic view showing the construc- 
tion of a reproducing device according to the em- 
45 bodiment4. 

DESCRIPTION OF THE PREFERRED EMBODIMENT 

[0055] Hereinafter, description is given to preferred 
50 embodiments of a key management device and a repro- 
ducing device according to the present invention with 
reference to the drawings. 

(Embodiment 1) 

55 

[0056] FIG. 1 is a view showing the constructions of 
a key management device and a reproducing device ac- 
cording to an embodiment 1 of the present invention. 
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[0057] The key management device 101 includes a 
key management information storage unit 111, a content 
storage unit 112, a content key generating unit 113, a 
content encrypting unit 1 1 4, a key selecting unit 1 1 5, an 
accepting unit 116 : a ciphertext generating unit 117, a 
selected key list generating unit 118, and a recording 
unit 119. 

[0058] A recording medium 102 is, for example, a 
DVD having a large storage capacity. 
[0059] Each of reproducing devices 103 includes a 
key storage unit 131, a read unit 132, a key selecting 
unit 133, a content key decrypting unit 134 : a content 
decrypting unit 135 and a reproducing unit 136. 
[0060] The key management information storage unit 
111 stores, as key management information, keys each 
of which resides on a node of a tree structure as shown 
in FIG. 2. The tree structure is a binary tree structure 
with five hierarchical layers from a layer 1 , the top layer, 
to a layer 5, the lowest layer. 

[0061 ] Each key residing on the layer 5 is an individual 
key assigned to one of the reproducing devices 1 03. To 
be more specific, keys residing on each path between 
each individual key on the layer 5 and a Key 0 residing 
on the layer 1 form groups of keys, and each group of 
keys is assigned to a corresponding reproducing device 
103. 

[0062] For example, a reproducing device 1 , which is 
one of the reproducing devices 103, has five keys as- 
signed thereto, namely an individual key IK1 , a Key A, 
a Key I, a Key M, and the Key O. Similarly, a reproducing 
device 7 has five keys assigned thereto, namely an in- 
dividual key IK7, a Key D, a Key J, a Key M, and the Key 
O. 

[0063] FIG. 3 shows key management information 
stored in the key management information storage unit 
111. Key management information 301 includes each 
key's key ID 302, key data 303, parent key ID 304, and 
key state 305. 

[0064] The key ID 302 is an identifier for identifying 
each key arranged on each node of the tree structure 
shown in FIG. 2. 

[0065] The key data 303 is arbitrarily generated data, 
which functions as an encryption key when used by the 
key management device 101 , and as a decryption key 
when used by the reproducing device 1 03. 
[0066] The parent key ID 304 is an identifier for a key 
residing immediately above each key. In the case of the 
individual key IK1 , for example, the parent ID 304 is Key 
A. The Key O on the layer 1 does not have any parent 
key, so that its parent key ID 304 is "11 •••11" that indi- 
cates there exists no parent key. 

[0067] The key sate 305 indicates whether the key is 
currently in use. When the key is used to encrypt or de- 
crypt a content key, the key is a selected key that is in- 
dicated by the key state "I". When the key state 305 is 
"0", the key is not used for encryption or decryption. The 
key management information 301 shows an initial state 
of the key management information, so that no key state 



305 is "-1". When the key state 305 is "-I", the key is an 
invalid key, which will be described later. 
[0068] The content storage unit 1 1 2 is constructed of 
a hard disk and the like, and stores created contents, 
5 such as movies, in digitized form. 

[0069] The content key generating unit 113 gener- 
ates, for each content, a content key used to encrypt the 
content When the key management information is up- 
dated, each content key is updated as well. 
10 [0070] The content encrypting unit 114 encrypts con- 
tents using a common key cryptography method, such 
as DEF (Data Encryption Standard. In response to an 
encryption direction passed from the accepting unit 1 1 6, 
the content encrypting unit 114 encrypts a content read 
15 from the content storage unit 1 1 2 with a content key gen- 
erated by the content key generating unit 1 1 3, and then 
passes the resulting content to the recording unit 119. 
[0071 ] In response to the encryption direction passed 
from the accepting unit 116, the key selecting unit 115 
20 detects a key of which key state 305 is "1 " from the key 
information 301 stored in the key management informa- 
tion storage unit 111. Then, the key selecting unit 115 
reads the key ID 302 and the key data 303 of the de- 
tected key, and passes them to the ciphertext generat- 
es jng unit 117. The key selecting unit 115 also passes the 
key ID 302 of the detected key to the selected key list 
generating unit 118. 

[0072] On the other hand, when key IDs of keys to be 
invalidated are passed from the accepting unit 116, the 

30 key selecting unit 115 updates the key management in- 
formation 301 currently stored in the key management 
information storage unit 111 accordingly. 
[0073] Here, the key IDs IK7 : Key D, Key J, Key M 
and Key O, which are a group of key assigned to the 

35 reproducing unit 7 shown in FIG. 2, are notified to be 
invalidated, the key selecting unit 115 first excludes a 
key of which key state 305 is u -1 " from the keys included 
in the key management information 301 . Here, the key 
state "-1" indicates that the key is assigned to a repro- 

40 ducing device which has been misused. Such a key is 
referred to as an "invalid key". 

[0074] Next, the key selecting unit 115 sequentially 
judges whether the key ID 302 of each key matches any 
of the -key IDs notified. If there is a match, the key state 

45 of the currently processed key is changed to "-V\ If not, 
the key selecting unit 115 then judges whether the par- 
ent key of the currently processed key is in the key state 
being "■1". !f the key state of the parent key is not being 
"-1 ", the key state 305 of the currently processed key is 

50 left unchanged from "0", which indicates the key is not 
in use. If the key state 305 of the parent key is "-1", the 
key state of the currently processed key is changed to 
"1". The key state "1" indicates that the key is used to 
encrypt a content key. Such a key is referred to as a 

55 "selected key". The above processing is repeated for all 
the keys included in the key management information 
301. 

[0075] Through conducting the above processing, the 
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key selecting unit 115 updates the key management in- 
formation 301 . The updated key management informa- 
tion denoted by the reference number 401 is shown in 
FIG. 4. 

[0076] Next, the key selecting unit 115 passes to the 
ciphertext generating unit 117 the key IDs 302 and the 
key data 303 that correspond to keys of which key state 
305 being "1". The key selecting unit 115 also passes 
the same key IDs 301 to the selected key list generating 
unit 118. 

[0077] It should be noted that in the above description, 
all the key IDs of the keys to be invalidated are passed 
to the key selecting unit 115. Yet, it is also applicable to 
pass only the key ID of the individual key to be invali- 
dated. In this case, the key selecting unit 115 first de- 
tects from the key management information 301 or 401 
a key ID 302 that corresponds to the passed Key ID. 
Then, by sequentially detecting its parent key ID 304, 
the key selecting unit 115 finds out all the keys to be 
invalidated. 

[0078] The accepting unit 116 accepts operator' s in- 
put directing content encryption or designating key IDs 
to be invalidated. Upon receipt of an input directing con- 
tent encryption, the accepting unit 116 notifies the key 
selecting unit 115 and the encrypting unit 114 that en- 
cryption is directed. Upon receipt of an input designating 
key IDs to be invalidated, the accepting unit 116 passes 
the inputted key IDs to the key selecting unit 115. 
[0079] Upon receipt of the key IDs and the key data 
from the key selecting unit 115, the ciphertext generat- 
ing unit 117 generates ciphertexts by encrypting the 
content key, which is generated by the content key gen- 
erating unit 113, using the passed key data. The thus 
generated ciphertexts are then passed to the recording 
unit 119. 

[0080] The selected key list generating unit 118 gen- 
erates a selected key list including the key IDs that are 
passed from the key selecting unit 1 1 5, and then passes 
the thus generated list to the recording unit 119. 
[0081] The recording unit 119 records the encrypted 
contents passed from the content encrypting unit 114, 
the ciphertexts passed from the ciphertext generating 
unit 11 7 : the selected key list passed from the selected 
key list generating unit 118 onto the recording medium 
102 within each corresponding storage area. 
[0082] The recording medium 102 has storage areas 
separately for a selected key list, ciphertexts, and data, 
and the selected key list, the ciphertexts and the con- 
tents which have been encrypted with the content key, 
are recorded by the recording unit 119 into their respec- 
tive storage areas. 

[0083] FIG. 5 shows memory contents of the record- 
ing medium 102 recorded by the key management de- 
vice 101 when the key management information storage 
unit 111 stores the key management information 301 
shown in FIG. 3. 

[0084] The memory contents 501 include data 502, a 
ciphertext 503, and a selected key list 504. Here, the 



data 502 is a content encrypted with a content key. The 
ciphertext 503 is generated by encrypting the content 
key using a key of which key state 305 is "1" according 
to the key management information 301. In this case, 

5 the key used tor encryption is the Key O on the top layer 
1 of the key structure. The selected key list 504 is used 
to specify the key used to encrypt the ciphertext 503. It 
should be noted that "E(X, Y)" indicates that the data Y 
is encrypted with the key X. Accordingly, the ciphertext 

10 503 indicates that the content key is decrypted with the 
key of which key ID is "Key O". 

[0085] FIG. 6 shows memory contents of the record- 
ing medium 102 recorded after the group of keys as- 
signed to the reproducing device 7 (see FIG. 2), namely 
15 |K7, Key D, Key J, Key M and Key O, is invalidated. In 
other words, the memory contents are the ones record- 
ed when the key management information storage unit 
111 stores the key management information 401 shown 
in FIG. 4. 

20 [0086] The memory contents 601 include data 602, 
ciphertexts 603 and a selected key list 604. 
[0087] The data 602 is the contents each encrypted 
with a content key. Each content key is generated for 
each content, and when the key management informa- 
25 tion 301 is updated, a different content key is generated 
for the same content. That is to say, the data 502 and 
503 included in the memory contents 501 and 601, re- 
spectively, are not the same although the original con- 
tent is the same. This is because their content keys are 
30 different. 

[0088] The ciphertexts 603 are generated by encrypt- 
ing the content key using each key included in the se- 
lected key list 604. The memory contents 501 include 
only one ciphertext 503 since there is only one key re- 

35 corded in the selected key list 504, while the memory 
contents 503 include four ciphertexts 603 since there 
are four keys recorded in the selected key list 604. 
[0089] Incidentally, the cryptographic key distribution 
system cited in the background of the invention above, 

40 in order to invalidate one individual key and its parent 
keys residing on the upper layers, seven ciphertexts 
need to be generated when the tree structure has five 
layers similarly to this embodiment. That is to say, the 
cryptographic key distribution system of the cited inven- 

45 tion requires 2/V-3 ciphertexts, while this embodiment 
only requires AM ciphertexts. 

[0090] Hereinafter, description is given to one of the 
reproducing devices 103. 

[0091] Keys each arranged on a node of the tree 
50 structure shown in FIG. 2 are assigned to the key stor- 
age unit 131 in advance. Thus, the key storage unit 131 
stores five pieces of key information each of which is a 
key ID of each assigned key paired with corresponding 
key data. 

55 [0092] FIG. 7 shows the key information stored in the 
key storage unit 131 of the reproducing device 1 shown 
in FIG. 2. The key information 701 includes the key IDs 
702 and the pieces of data 703 in correspondence with 
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each other. 

[0093] When the recording medium is attached to the 
reproducing unit 1 03 and when a reproduction direction 
is passed from an operating unit (not illustrated), the 
read unit 132 reads the memory contents from the re- 5 
cording medium 102. 

[0094] The read unit 132 selectively passes, from the 
read memory contents, the selected key list, the cipher- 
texts ; and the data, which is the encrypted contents, to 
the key selecting unit 133, the contently key decrypting 10 
unit 1 34 and the content decrypting unit 1 35, respective- 
ly- 

[0095] Upon the receipt of the selected key list, the 
key selecting unit 133 selects from the keys stored in 
the key storage unit 131 a key ID that matches any of 15 
key IDs included in the selected key list. The key select- 
ing unit 133 then reads and passes to the content key 
decrypting unit 1 34 the key ID selected thereby together 
with the corresponding key data. 

[0096] The content key decrypting unit 134 selects 20 
from the ciphertexts passed from the read unit 132 the 
one that corresponds to the key ID passed from the key 
selecting unit 133, and decrypts the selected ciphertext 
using the key data passed from the key selecting unit 

1 33 as a decryption key. The content key decrypting unit 25 

134 then passes the thus decrypted content key to the 
content decrypting unit 135. 

[0097] The content decrypting unit 135 verifies the 
correctness of the content key passed from the content 
key decrypting unit 134 using verification techniques 30 
such as "signature". Next, the content decrypting unit 

135 decrypts the encrypted content passed from the 
read unit 1 32 using the content key passed from the con- 
tent key decrypting unit 134, then passes the thus de- 
crypted content to the reproducing unit 136. 35 
[0098] The reproducing unit 136 reproduces and out- 
puts the content passed from the content decrypting unit 
135. 

[0099] Hereinafter, description is given to one con- 
crete example, in which the reproducing unit 1 03 is the 40 
reproducing unit 1 shown in FIG. 2, and the recording 
medium 1 02 stores the memory contents 501 . The key 
storage unit 1 31 stores the key information 701 , and the 
read unit 132 passes to the key selecting unit 133 the 
selected key list 504 that includes the key ID, "Key O". 45 
The key selecting unit 133 detects from the key infor- 
mation 701 a key ID that matches the passed key ID 
"Key O", reads the key ID 702 and the key data corre- 
sponding to the detected key, and then passes the read 
ID and data to the content key decrypting unit 1 34. so 
[0100] The content key decrypting unit 134 decrypts 
the ciphertext passed from the read unit 132 using the 
key data passed from the key selecting unit 1 33 to obtain 
a content key, and then passes the thus obtained con- 
tent key to the content decrypting unit 135. 55 
[01 01 ] Next, description is given to the case where the 
recording medium stores the memory contents 601. In 
this case, the read unit 132 passes to the key selecting 



unit 133 the selected key list 604 that includes the key 
IDs, "Key N, Key I, Key C and IK8". 
[01 02] The key selecting unit 1 33 selects the matched 
key ID, "Key I" from the keys included in the key infor- 
mation 701 stored in the key storage unit 702. Then, the 
key selecting unit 133 reads the key ID "Key I" and the 
corresponding key data and passes them to the content 
key decrypting unit 134. 

[01 03] The content key decrypting unit 1 34 selectively 
decrypts one of the four given ciphertexts 605 that is 
encrypted with "Key I" using the key data passed from 
the key selecting unit 1 33, thereby obtaining the content 
key. 

[01 04] Now, description is given to the case where the 
reproducing unit 103 is the reproducing unit 7 shown in 
FIG. 2, and the recording medium 102 stores the mem- 
ory contents 601 . In this case, the selected key list 604 
passed to the key selecting unit 1 33 includes the key 
IDs, "Key N : Key I, Key C and IK8", while the key storage 
unit 131 stores the key IDs "IK7, Key D, Key J, Key M 
and Key O". Here, there is no match in the key IDs, so 
that the content key decrypting unit 134 is not allowed 
to decrypt any of the ciphertexts. In this case, the repro- 
ducing unit 7 can not obtain a content key. 
[01 05] In this embodiment, the number of ciphertexts 
that the content key decrypting unit 134 decrypts in or- 
der to obtain a content key is just one except the case 
of the misused reproducing unit 7. On the contrary, the 
prior art cryptographic key distribution system cited 
above needs to decrypt at most four, or AM , ciphertexts 
to obtain a content key, when the tree structure has five 
layers just as this embodiment. 

[0106] Hereinafter, description is given to main oper- 
ations of updating processing conducted by the key 
management device 1 01 with reference to the flowchart 
shown in FIG. 8. 

[0107] First, the key selecting unit 115 waits for the 
accepting unit 116 to inform key IDs designated to be 
invalidated, which are the keys assigned to a misused 
reproducing device (S802). Upon receipt of the key IDs, 
the key selecting unit 115 initializes the counter i to "1" 
(step S804), and then initializes the counter j to "1 " (step 
S806). 

[01 08] The key selecting unit 1 1 5 judges whether the 
j ih key residing on the i th layer (the layer i) is in the key 
state "-I" (step S808), and goes on a step S818 If the 
key state is "-1". If not, the key selecting unit 115 then 
judges whether the key ID of the j th key on the layer i 
matches any of the designated key IDs (step S810). 
When there is no key ID matched, the selecting unit 115 
judges whether its parent key (on the layer i-1 ) is in the 
key state "-1" (step S812). Here, when there exists no 
parent key, the above judgment results in negative. If 
the key state of the parent key is "-1 ", the selecting unit 
115 goes onto the step S818. If the key state of the par- 
ent key is n -1", the selecting unit 115 changes the key 
state of the currently processed key from "0" to "-1 " (step 
S814),then goes onto the step S818. In the step S810, 
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on the other hand., when the key ID matches any of the 
designated key IDs, the selecting unit 115 changes the 
key state of the currently processed key to M -1 U (step 
S816), then goes onto the step S818. 
[0109] Next, in the step S818, the key selecting unit 
1 15 judges whether the counter j is equal to 2H . When 
the judgment results in negative, the key selecting unit 
1 1 5 adds "1 " to the counter i (step S820), and then goes 
back to the step S808. When the judgment results in 
affirmative, the key selecting unit 115 adds "1" to the 
counter i (step S822), and then judges whether i>N, that 
is whether the value of counter i exceeds the layer N 
(step S824). When the judgment results in affirmative, 
the processing is terminated, while the judgment results 
in negative, the processing goes onto the step S806. 
[01 10] In this embodiment, description is given to the 
case where keys are arranged on nodes forming a bi- 
nary tree structure having five layers. Yet, the tree struc- 
ture may be a ternary tree structure, or may branch off 
into irregular number of nodes. 

[0111] In order to invalidate keys assigned to another 
reproducing device, for example the reproducing device 
12, after the keys assigned to the reproducing device 7 
shown in FIG. 2 are invalidated, the key selecting unit 
115 conducts the above operations of updating the key 
management information shown in FIG. 8, so that the 
key management information is updated. 
[0112] As a result, the selected key list generating unit 
118 generates a selected key list (that includes the key 
IDs "Key I, Key L r Key C, Key E, IK8, and IK11). 
[0113] in addition, the ciphertext generating unit 117 
generates the following ciphertexts, which are 

E(Key I, Content key), 

E(Key L, Content key), 

E(Key C, Content key), 

E(Key E, Content key), 

E(Key IK8, Content key), and 

E(Key IK11 S Content key). 
[0114] Here : it is also applicable to constitute the key 
management device to store the key management in- 
formation 301 , which is an initial state of the key man- 
agement information, or the key management informa- 
tion 401, which is a state after the group of keys as- 
signed to the reproducing device 7 is invalidated, or the 
key management information (not illustrated), which is 
a state after the group of keys assigned to the reproduc- 
ing device 12 is further invalidated, together with the 
time and data at which the key management information 
is updated. 

[0115] If the history of the key management informa- 
tion 301 and the like is stored in the key management 
information storage unit 111 in the above manner, the 
key management information 305 and the like may be 
easily converted back to the state at a point in the past. 

(Embodiment 2) 

[0116] Next, description is given to a key manage- 



ment device and a reproducing device according to a 
second embodiment of the present invention. The key 
management device and the reproducing device in this 
embodiment are almost the same as those in the em- 
5 bodiment 1 above. So, the description is given with ref- 
erence to the FIG. 1 . 

[0117] In this embodiment, keys assigned to each re- 
producing device are groups of keys arranged on nodes 
of a plurality of tree structures. 
10 [0118] The key management information storage unit 
111 stores, as key management information, keys each 
of which resides on a node forming four tree structures 
as shown in FIG. 9. 

[0119] Each of the tree structures 901 , 902, 903 and 

15 904 is a binary tree structure having three hierarchal lay- 
ers. Each key residing on the layer 3 is an individual key 
assigned to one of the reproducing device. For example, 
the reproducing device 1 has three keys assigned there- 
to, namely an individual key IK1 , and its upper keys of 

20 Key A and Key I. Similarly, the reproducing device 2 has 
three keys assigned thereto, namely, an individual key 
IK2 and its upper keys of Key A and Key I. 
[0120] Key management information of these keys is 
shown in FIG. 10. Similarly to the key management in- 

25 formation 301 , the key management information 1 001 
includes each key's key ID 1002, key data 1003, parent 
key ID 1004, and key state 1005, which is listed in the 
following order: keys on the layer 1 to the layer 3 of the 
tree structure 901 , then the layer 1 to layer 3 of the tree 

30 structure 902, — to the layer 3 of the tree structure 904. 
[0121] The key management information 1001 has 
four selected keys, that are the keys of which key state 
is "1". Thus, the ciphertext generating unit 117 gener- 
ates four ciphertexts. 

35 [01 22] Similarly to the embodiment 1 above, when the 
keys assigned to the reproducing device 7 are invalidat- 
ed, five keys, namely Key I, Key C, IK8, Key K, Key L, 
are then selected as selected keys. When the keys as- 
signed to the reproducing device 12 are further invali- 

40 dated, six keys, namely Key I, Key C, IK8, Key E, IK11, 
and Key L are then selected as selected keys. Thus, the 
numbers of ciphertexts generated in these two cases 
are 5 and 6, respectively. 

[01 23] It should be noted that the steps S802-S824 in 
45 the flowchart shown in FIG. 8 are the operations appli- 
cable to the case of one tree structure, so that the key 
management information regarding L tree structures are 
updated by repeating the same operations L times. 
[0124] FIG. 11 is a table showing comparisons of the 
50 data in the key management information in the cases 
where there are different numbers of three structures for 
16 of the reproducing devices 103. 
[01 25] The comparison table 1 1 01 shows the number 
of tree structures 1102, the number of keys 1103, the 
55 number of misused reproducing devices 1104, the 
number of selected keys 1105 that is equal to the 
number of ciphertexts 1105, and the number of keys 
stored by one reproducing device 1105. 
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[0126] The number of the tree structures 11 02 is "one" 
in the embodiment 1 above, and "four 4 ' in this embodi- 
ment. As the number of the tree structures 1102 is in- 
creased, the number of hierarchal layers in each tress 
structure decreases, so that the number of the keys 5 
1103 decreases as well. In other words, when the 
number of tree structures 1 1 02 is increased, the number 
of keys to be stored in the key management information 
storage unit 111 decreases. Further, the number of keys 
stored in the key storage unit 131 of the reproducing de- 10 
vice 103 decreases as well. 

[0127] However, the increase in the number of the 
tree structures 1 1 02 results in increase in the number of 
selected keys=the number of ciphertexts 1105 in an in- 
itial state. Here, the initial state refers to the state in '5 
which the number of misused reproducing devices 1 1 04 
is "0". When the number of misused reproducing devic- 
es 1104 increases, the number of ciphertexts 1105 in- 
creases, but to a different extent depending on the 
number of the tree structures 1102. For example, when 20 
the number of misused reproducing devices 1 1 04 is "2", 
the number of ciphertexts 11 05 is "6" regardless of the 
number of tree structures 1102 being either "1", "2 U , or 
"4". 

[0128] As clarified in the above comparisons, when 25 
the maximum number of keys to be invalidated is set to 
be 2 K , the optimum number of tree structures L is 2 K+1 
in order to minimize the number of ciphertexts 1105, the 
number of keys 11 06 to be stored by a reproducing de- 
vice, the number of keys 1103 to be stored in the key 30 
management information storage unit 111, and the like. 

(Embodiment 3) 

[0129] FIG. 12 is a view showing the constructions of 35 
a key management device and a reproducing device ac- 
cording to a third embodiment of the present invention. 
[0130] A key management device 1201 includes the 
key management information storage unit 111 , the con- 
tent storage unit 112, the content key generating unit *o 
11 3, the content encrypting unit 114, a key selecting unit 
1211, and the accepting unit 116 : the cipher text gener- 
ating unit 1 1 7, the selected key list generating unit 1 1 8, 
and a multiplexing/transmitting unit 1212. 
[0131] Each of reproducing devices 1202 includes a *5 
receiving unit 1221, the key storage unit 131, the key 
selecting unit 133, the content key decrypting unit 134, 
the content decrypting unit 1 35, and the reproducing unit 
136. It should be noted that the same components as 
those constituting the key management device 1 01 and so 
the reproducing device 103 are denoted by the same 
reference numbers and description thereof is omitted. 
Hereinafter, description is given only to the construc- 
tions unique to this embodiment. 

[0132] Instead of the recording unit 119 that the key 55 
management device 101 has in the embodiment 1 , the 
key management device 1 201 includes the multiplexing/ 
transmitting unit 1212, and acts as a data transmitting 



device. 

[0133] Instead of the read unit 132 that the reproduc- 
ing device 103 has in the embodiment 1, the reproduc- 
ing device 1202 includes the receiving unit 1221, and 
acts as a data receiving device. 

[0134] The content encrypting unit 114 reads a con- 
tent from the content storage unit 1 1 2, and encrypts the 
content using a content key generated by the content 
key generating unit 113, and passes the data resulting 
from the encryption to the multiplexing/transmitting unit 
1212. 

[0135] The ciphertext generating unit 117 encrypts 
the content key generated by the content key generating 
unit 113 using key data passed from the key selecting 
unit 1211 and passes the resulting ciphertexts to the 
multiplexing/transmitting unit 1212. 
[0136] The selected key generating unit 118 gener- 
ates a selected key list with the key IDs passed from the 
key selecting unit 1211, and passes the thus generated 
list to the multiplexing/transmitting unit 1212. 
[0137] The multiplexing/transmitting unit 1212 trans- 
mits the data passed from the content encrypting unit 
114, the ciphertexts generated by the ciphertext gener- 
ating unit 11 7, and the selected key list generated by the 
selected key list generating unit 118 to a plurality of re- 
producing units 1202. 

[0138] At the end of each reproducing unit 1202, the 
receiving unit 1221 receives the data, the ciphertexts, 
and the selected key list transmitted from the multiplex- 
ing/transmitting unit 1 21 2, and then passes the data, the 
ciphertexts, the selected key list to the content decrypt- 
ing unit 135, the content key decrypting unit 134, and 
the key selecting unit 133, respectively. 
[0139] Incidentally, communications of the data and 
the like between the multiplexing/transmitting unit 1212 
and the reproducing devices 1212 may be made via 
broadcast waves, multicast communication paths for 
the Internet using a public network, CATV, or the like. 
[0140] Here, each reproducing device 1202 receives 
data from the key management device 1202 under the 
subscription contract, so that a group of keys stored in 
the reproducing device may be invalidated when the 
contract is canceled. Atthis time the keys are invalidated 
in the similar manner to the reproducing devices 103 in 
the embodiment 1 . 

[0141] Similarly to the embodiment 1 above, the key 
management information storage unit 111 stores, as key 
management information, keys each of which is ar- 
ranged on a node of a tree structure as shown FIG. 2. 
[0142] Now, description is given to processing to re- 
store a key group that has been invalidated. Here, the 
group of keys assignedto the reproducing device 1 2 has 
been invalidated due to the cancellation of the subscrip- 
tion contract, but the contract is made again, so that the 
key groups need to be restored. 

[0143] FIG. 13 is a flowchart showing operations to 
restore the keys that have been invalidated to be usable 
again. 
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[0144] The accepting unit 116 accepts an operator's 
input designating key IDs, "Key O, Key N, Key K, Key F 
and IK12" that are the keys in the key group assigned 
to the reproducing device 12. The key selecting unit 
1211 waits for the receiving unit 1 1 6 to pass the inputted 
IDs "Key O, Key N. Key K, Key F and IK12" (step 
S1302), sets the counter i at an initial value of "1" (step 
S1304), and sets the counter j at an initial value of "1" 
(step S1 306). 

[0145] The key selecting unit 1211 judges whether 
"Key 0\ which is the key ID of a first key on the layer 1 , 
matches any of the designated key IDs (step S1308). 
When the judgment results in negative, the designated 
keys to be restored do not reside in this tree structure. 
Thus, key selecting unit 1 21 1 terminates the processing 
on this tree structure, and goes on to the processing to 
check the key management information regarding an- 
other key structure. In this embodiment, there is only 
one tree structure, so that the key ID, "Key O" matches 
one of the designated key IDs to be restored. Next, the 
key selecting unit 1211 judges whether two keys having 
the first key on the layer 1 as their common parent key 
are both in the key state "-1" (step S1310). Here, "Key 
M" and "Key NT are both in the key state "-1 so that the 
key selecting unit 1211 goes onto a step 1314. In the 
case where one of the two keys is not in the key state 
"-1", to be more specific, in the case where "Key M" is 
in the key state "1", the key state of the first key on the 
layer 1 is changed to "I" (step S1312). 
[0146] Next, the key selecting unit 1211 adds 'T'-to 
the counter i (S1 31 4), and judges whetherthej th key on 
the layer i matches any of the designated key IDs to be 
restored (step 1316). When there is a match, the key 
selecting unit 1211 judges whether its parent key is in 
the key state u -1" (step S1317). When there is not a 
match in the step S1316, the key selecting unit 1211 
judges whether the key state of its parent key has been 
changed to "1 " (step S1 31 8). When the key state of the 
parent key has not been changed, the key selecting unit 
1211 goes onto a step S1324. Otherwise, the key se- 
lecting unit 1211 changes the key state of the j th key on 
the layer i to "0" (step S1322) and then goes onto the 
step S1324. 

[0147] When it is judged in the step S1317 that the 
parent key is not in the key state "-1", the key selecting 
unit 1211 performs the step 1322. Otherwise, the key 
selecting unit 1211 changes the key state of the j th key 
on the layer i to "1" (step S1320), and then goes onto 
the step S1324. 

[01 48] In the step s1 324, the key selecting unit 1211 
judges whether the counter j holds a value equal to 2 M . 
If the judgment results in negative, the key selecting unit 
1211 adds "1" to the counter j (step S1326), and the 
goes back to the step S1316. If the judgment results in 
affirmative., the key selecting unit 1211 judges whether 
the counter i holds a value equal to "N" (step S1328). If 
the judgment results in affirmative, the key selecting unit 
1211 terminates the processing. If not, the key selecting 



unit 1211 initializes the counter i to *T' (step S1330), and 
then goes back to the step S1314. 
[0149] As a result of the above processing, the keys 
in the key group assigned to the reproducing device 12 
5 are restored, so that the key management information 
is changed to the key management information 401 
shown in FIG. 4. 

[0150] Now, the reproducing device 12 is allowed to 
decrypt one of the ciphertexts transmitted from the key 

10 management device 1 201 using the key data stored in 
the key storage unit 131 , thereby obtaining the content 
key. Consequently, the reproducing device 1 2 is capable 
of decrypting the encrypted data using the content key 
as a decryption key. 

15 [0151] Next, description is given to processing to ad- 
ditionally store new key groups to be assigned to the 
reproducing devices 1202. 

[0152] To add four reproducing devices when the ex- 
isting keys are in condition shown in the key manage- 
20 ment information 401 , the key selecting unit 1 2 1 1 newly 
generates keys arranged in a tree structure having three 
layers. 

[0153] FIG. 14 is a schematic view showing the key 
arrangement at this stage. A new tree structure 1402 is 

25 composed of four individual keys to be assigned to each 
of the additional reproducing devices 17, 18, 19, and 20, 
and two keys, Key P and Key Q residing on the upper 
layer 2, and one key, Key R residing on the top layer 1 . 
[0154] Next, the key selecting unit 1211 replaces Key 

30 r on the layer 1 with Key N on the layer 2 of the existing 
tree structure (the key sate of Key N is not "-1"). 
[0155] As a result, the following key groups are as- 
signed to the reproducing devices 17, 18, 19, and 20, 
which are: 

35 

the reproducing device 17 (Key O, Key N, Key P 
and IK17); 

the reproducing device 18 (Key O, Key N, Key P 
andlK18); 

40 the reproducing device 19 (Key O, Key N. Key Q 
and IK19); and 

the reproducing device 17 (Key O, Key N, Key Q 
and IK20). 

45 [0156] The key selecting unit 1211 adds to the key 
management information 401 a key ID, key data, a par- 
ent key ID, and a key state of each newly added key. 
Here, each key state is "0" indicating the key is non-used 
key. 

50 [0157] In the above description, the Key R residing on 
the top layer of the new tree structure 1402 is replaced 
with Key N residing in the existing tree structure 1402. 
Yet, it is also applicable to replace the Key R with the 
Key L. 

55 

(Embodiment 4) 

[01 58] FIG. 1 5 is a schematic view showing the con- 
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struction of a system that is constructed of a key man- 
agement device and an encryption information storage 
unit, recording units, and reproducing units according to 
an embodiment 4 of the present invention. 
[01 59] To be more specific, this system is constructed 5 
of a key management device 1501 , an encryption infor- 
mation recording unit 1502, a plurality of recoding units 
1 503, and a plurality of reproducing units 1 504. A rewri- 
table recording medium 1502 has encryption informa- 
tion that is pre-recorded by the encryption information io 
recording device 1502. 

[0160] The keymanagement device 1501 has the sim- 
ilar construction to that of the key management device 
101 of the embodiment 1 above, except that the content 
storage unit 112, the content encrypting unit 114, and *5 
the recording unit 119 are not included. The encryption 
information recording unit 1502 has the construction 
similar to part of the recording unit 11 9 of the key man- 
agement device 101. 

[0161] The recording medium 1505 is a large capacity 20 
recording, medium, such as a DVD-RAM, DVD-RW, and 
the like, and has a selected key list and ciphertexts that 
are written by the encryption information recording de- 
vice at the time of manufacturing the recording medium. 
[0162] Each of the recording devices 1503 includes, 25 
as shown in FIG. 1 6, a key storage unit 1 601 , a content 
key decrypting unit 1602, and an encrypting unit 1603. 
[0163] Similarly to the key storage unit 131 included 
in the reproducing device 103 of the embodiment 1 
above, the key recording unit 1601 stores N keys as- 30 
signed in advance. 

[0164] When the recording medium 1 505 is attached 
to the recording device 1503, the content key decrypting 
unit 1602 reads the selected key list and the ciphertexts 
from the recording medium 1 505. Then, the content key 35 
decrypting unit 1602 reads from the key storage unit 
1 601 a key that correspond to any of the key IDs in the 
selected key list, and decrypts one of the ciphertexts that 
is decryptable with the thus decrypted key data, thereby 
obtaining a content key. Finally, the content key decrypt- 40 
ing unit 1602 passes the thus obtained content key to 
the encrypting unit 1603. 

[0165] The encrypting unit 1603 receives a content 
such as a TV program, encrypts the content with the 
content key passed from the content key decrypting unit 
1602, and writes the thus encrypted content to the re- 
cording medium 1505. 

[0166] The reproducing device 1504 has the con- 
struction similar to the reproducing device 103 of the 
embodiment 1 above. FIG. 17 shows the construction so 
thereof in a simplified manner. 

[0167] When the recording medium 1505 is attached 
to the reproducing device 1504, the content key decrypt- 
ing unit 1 702 reads the selected key list and the cipher- 
texts from the recording medium 1505, and reads from 55 
the key storage unit 1701 the key data that corresponds 
to any of the keys included in the selected key list. The 
content key decrypting unit 1 702 decrypts one of the ci- 



phertexts that corresponds to the read key data, thereby 
obtaining the content key. The content key decrypting 
unit 1702 passes ihe thus obtained content key to the 
decrypting unit 1703. 

[0168] The decrypting unit 1703 reads the encrypted 
content from the recording medium to decrypt the con- 
tent using the content key passed from the content key 
decrypting unit 1703, then reproduces and outputs the 
decrypted content. 

[0169] Although, it is described in the embodiments 1 
and 2 above that the read-only recording medium 102 
is used to record the encrypted data together with the 
encryption information, in this embodiment, however, ci- 
phertexts that are generated by encrypting a content key 
and encryption information are pre-recorded to the re- 
writeable recording medium 1505. Both the recording 
device 1503 and the reproducing device 1504 decrypt 
one of the ciphertexts using a key stored in each device 
to obtain the content key. Then, the recording device 
1503 encrypts a content using the content key, while the 
reproducing device 1504 decrypts the content using the 
content key. 

[0170] In this manner, the system of this embodiment 
manages key groups assigned to both the recording de- 
vice 1503 and the reproducing device 1504. 
[0171] It should be noted that in the above embodi- 
ments, the key management devices and the reproduc- 
ing devices have the constructions shown in FIG. 1 or 
FIG. 12. Yet, the present invention may be embodied in 
a program implementing functions of each component 
by a computer. Further, such a program may be record- 
ed on a computer-readable medium and used to imple- 
ment factions of the key management device and/or the 
reproducing device. 

[0172] Although the present invention has been fully 
described by way of examples with reference to the ac- 
companying drawings, it is to be noted that various 
changes and modifications will be apparent to those 
skilled in the art. Therefore, unless such changes and 
modifications depart from the scope of the present in- 
vention, they should be construed as being included 
therein. 



Claims 

1. A key management device for managing keys, the 
keys being grouped into a plurality of key groups 
each of which is assigned to one of a plurality of 
reproducing devices for decrypting encrypted data 
to reproduce the data, the key management device 
comprising: 

key storage means for storing the keys, where- 
in 

each key is associated with a node form- 
ing at least one Allayer tree structure (N is 2 or 
a natural number greater than 2), and 
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each key group includes keys associated 
with a different group of nodes, each group of 
nodes being a set of nodes located on a differ- 
ent path, in each tree structure, connecting a 
different node on the AA h layer and a node on 5 
the highest layer; and 

encryption information generating means for, 
upon receipt of information designating a key 
group assigned to one of the reproducing de- 
vices, 10 

(1) invalidating each key in the designated 
key group, 

(2) selecting non-invalid keys being imme- 
diately subordinate to each invalid key from '5 
among keys in the key groups that are as- 
signed to the other reproducing devices 
and each of which includes one or more 
invalid keys, and 

(3) generating encryption information that 20 
includes (i) ciphertexts corresponding to a 
content key that is used to encrypt the data, 

the ciphertexts being generated by en- 
crypting the content key using each select- 
ed key. and (ii) identification information for 25 
identifying the selected keys, and wherein 

each reproducing device stores N keys as- 
signed thereto, selectively decrypts one of the 
ciphertexts that is decryptable using a key iden- 30 
tified by the identification information to obtain 
the content key, and decrypts the data using the 
thus obtained content key to reproduce a con- 
tent. 

35 

2. The key management device of Claim 1 , wherein 

the encryption information generating means 
includes: 

a data generating unit which generates the data *o 
by encrypting the content usingthe content key; 
an invalid key accepting unit which accepts the 
information designating the key group assigned 
to the one reproducing device; 
a key selecting unit which invalidates each key 
in the designated key group, and selects the 
non-invalid keys being immediately subordi- 
nate on a different path to each invalid key ex- 
cept for the invalid key residing on the A/ h layer; 
a ciphertext generating unit which generates so 
the ciphertexts by encrypting the content key 
using each selected key; and 
a selected key list generating unit which gener- 
ates a list used to identify the selected keys. 

55 

3. The key management device of Claim 2, wherein 

the key storage means includes a key man- 
agement information storage unit which stores each 



key's (i) identifier for identifying the key : (ii) parent 
key identifier for identifying its parent key being im- 
mediately superordinate to the key, (iii) key state in- 
formation showing whether the key is a selected key 
being used to generate one of the ciphertexts, an 
invalid key : or a non-used key, and (iv) key data, and 

the invalid key accepting unit accepts identi- 
fiers for each key in the designated key group, and 

the key selecting unit 

(1) updates the key state information so as to 
invalidate a key of which identifier matches any 
of the designated identifiers, and 

(2) updates the key state information so as to 
select a key (i) of which identifier does not 
match any of the designated identifiers, (ii) of 
which parent key is invalidated, and (iii) that is 
neither invalided nor selected. 

4. The key management device of Claim 3, wherein 

in the key management information, the key 
on the highest layer has a specific value as its par- 
ent key identifier, and 

the key selecting unit selects the key of which 
parent identifier has the specific value as a selected 
key unless the key is invalidated. 

5. The key management device of Claim 2, wherein 
the encryption information generating means fur- 
ther includes: 

a restoring key accepting unit which accepts in- 
formation designating a key group that has 
been invalidated and to be restored; and 
a restoring unit which 

(a) selects, from among the keys in the 
designated key group to be restored, a key 
of which parent key being immediately su- 
perordinate to the key and a brother key 
having the same parent key are both inval- 
idated, and 

(b) changes a subordinate key of the thus 
selected key in the designated key group 
to a non-used key. 

6. The key managing device of Claim 5, wherein 

the key storage means includes a key man- 
agement information storage unit which stores, 
each key's (i) identifier for identifying the key, (ii) 
parent key identifier for identifying its parent key be- 
ing immediately superordinate to the key, (iii) key 
state information showing whether the key is a se- 
lected key being used to generate one of the cipher- 
texts, an invalid key, or a non-used key, and (iv) key 
data, 

the restoring key accepting unit accepts iden- 
tifiers for each key in the designated key group to 
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be restored, and 

the restoring unit updates the key state infor- 
mation so as to 

(1 ) select, from among keys having an. identifier 
that matches any of the designated identifiers, 

(1) the key on the highest layer when its imme- 
diately subordinate key residing on a different 
path is currently selected, or (ii) a key on the 
second layer or below when its brother key hav- 
ing the same parent key is all invalidated, 

(2) change to a non-used key a key having an 
identifier that matches any of the designated 
identifiers and being subordinate on the same 
path to the thus selected key, and 

(3) change to a non-used key a key having an 
identifier that does not match any of the desig- 
nated identifiers and having the thus selected 
key as its parent key. 

7. The key management device of Claim 2, further 
comprising: 

. new key accepting means for accepting the 
number of reproducing devices to which a key 
group is newly assigned; 

new key generating means for generating keys 
which are associated with nodes forming an M- 
layer tree structure (M is a natural number be- 
tween 2 and N inclusive); and 
connecting means for replacing a key on the 
highest layer of the newly generated tree struc- 
ture with a selected key or a non-used key re- 
siding on the (N-M+~\) ib or higher layer of the 
existing tree structure stored in the key record- 
ing means. 

8. The key management device of Claim 2, further 
comprising recording means for recording to a re- 
cording medium the data generated by the data 
generating unit, the ciphertexts generated by the ci- 
phertext generating unit, and the selected key list 
generated by the selected key generating unit. 

9. The key management device of Claim 2 5 further 
comprising transmitting means for transmitting to 
the plurality of reproducing devices the data gener- 
ated by the data generating unit, the ciphertexts 
generated by the ciphertext generating unit, and the 
selected key list generated by the selected key gen- 
erating unit. 

10. The key management device of Claim 3, wherein 

the key management information storing unit 
stores the key management information every time 
it is updated by the key selecting unit, and 

the key storage means further includes a re- 
storing unit for restoring the key management infor- 



mation back to its initial version or any updated ver- 
sion. 

11. The key management device of Claim 1, wherein 
5 the key storage means stores L tree struc- 
tures, L being 2 K+1 when the maximum number of 
key groups to be invalidated is set at 2 K . 

12. A recording medium to be reproduced by one of a 
10 plurality of reproducing devices each of which 

stores a key group, wherein 

each key in the key group being assigned to 
a node forming an AMayer tree structure (N is 2 or 
a natural number greater than 2) together with 
15 nodes with which keys stored in the other reproduc- 
ing devices are associated, and 

the keys in the key group being associated 
with a group of nodes that is a set of nodes located 
on a path, in each tree structure, connecting a node 
20 on the A^ h layer and a node on the highest layer, 

the recording medium comprising: 

a data area which stores data generated by en- 
crypting a content using a content key; 
25 a ciphertext area which stores at least one ci- 

phertext generated by encrypting the content 
key using a selected key, the selected key be- 
ing identical to one of the keys stored in each 
reproducing device except for a specifically 
30 designated reproducing device; and 

a selected key list area which stores informa- 
tion identifying the selected key used for en- 
crypting the content key. 

35 13. A reproducing device for decrypting encrypted data 
to reproduce the data, the reproducing device com- 
prising: 

key group storing means for storing N keys {N 
40 is 2 or a natural number greater than 2) , where- 

in 

the N keys are respectively associated 
with nodes forming an /V-layertree structure to- 
gether with nodes with which keys stored in oth- 

45 er reproducing devices are associated, and 

the N keys are associated with a group of 
nodes that is a set of nodes located on a path, 
in the tree structure, connecting a node on the 
/V th layer to a node on the highest layer; 

so reproduction information obtaining means for 

obtaining (i) the data by encrypting a content 
using a content key, (ii) at least one ciphertext 
generated by encrypting the content key, and 
(iii) identification information for identifying a 

55 key used to encrypt the content key; 

content key decrypting means for selecting a 
key identified by the identification information 
from the keys stored in the key group storage 
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means, and decrypting the ciphertextthat is de- 
cryptable using the thus selected key to obtain 
the content key; and 

content reproducing means for decrypting the 
data using the thus obtained content key to re- 5 
produce the content. 

14. The reproducing device of Claim 13, further com- 
prising read means for reading from a recording me- 
dium (i) the data generated by encrypting the con- 10 
tent using the content key, (ii) the ciphertext gener- 
ated by encrypting the content key, and (iii) the in- 
formation for identifying the key used to decrypt the 
content key, and passing the read result to the re- 
production information obtaining means. 15 

15. The reproducing device of Claim 13, further com- 
prising receiving means for receiving (i) the data 
generated by encrypting the content using the con- 
tent key, (ii) the ciphertext generated by encrypting 20 
the content key, and (iii) the information for identi- 
fying the key used to decrypt the content key, and 
passing the received result to the reproduction in- . 
formation obtaining means. 

25 

16. A key management method for use in a key man- 
agement device to manage keys stored in a storage 
area of the key management device, wherein 

the keys are grouped into a plurality of key 
groups each of which is assigned to one of a plural- 30 
ity of reproducing devices, 

each key is associated with a node forming at 
least one A/-layer tree structure (A/ is 2 or a natural 
number greater than 2), 

each key group includes keys associated with 35 
a different group of nodes, each group of nodes be- 
ing a set of nodes located on a different path, in 
each tree structure, connecting a different node on 
the AA h layer and a node on the highest layer, the 
key management method comprising: 40 

an accepting step for accepting information 
designating a key group stored in one of the re- 
producing devices; 

a key selecting step for 45 

(1) invalidating each key in the designated 
key group, and 

(2) selecting non-invalid keys being imme- 
diately subordinate to each invalid key from 50 
among keys in the key groups that are as- 
signed to the other reproducing devices 
and each of which includes one or more 
invalid keys; and 

55 

an encryption information generating step for 
generating encryption information that includes 
(i) ciphertexts corresponding to a content key 



that is used to encrypt the data, the ciphertexts. 
being generated by encrypting the content key 
using each selected key., and (ii) identification 
information for identifying the selected keys, 
and wherein 

each reproducing device stores N keys as- 
signed thereto, selectively decrypts one of the 
ciphertexts that is decryptable using a key iden- 
tified by the identification information to obtain 
the content key, and decrypts the data using the 
thus obtained content key to reproduce a con- 
tent. 

17. A key management program for use in a computer 
to manage keys, the keys being grouped into a plu- 
rality of key groups each of which is assigned to one 
of a plurality of reproducing devices, wherein 

each key is associated with a node forming at 
least one AMayer tree structure (N is 2 or a natural 
number greater than 2), 

each key group includes keys associated with 
a different group of nodes, each group of nodes be- 
ing a set of nodes located on a different path, in 
each tree structure, connecting a different node on 
the /V th layer and a node on the highest layer, the 
program comprising: 

an accepting step for accepting information 
designating a key group stored in one of the re- 
producing devices; 
a key selecting step for 

(1) invalidating each key in the designated 
key group, and 

(2) selecting non-invalid keys being imme- 
diately subordinate to each invalid key from 
among keys in the key groups that are as- 
signed to the other reproducing devices 
and each of which includes one or more 
invalid keys; and 

an encryption information generating step for 
generating encryption information that includes 
(i) ciphertexts corresponding to a content key 
that is used to encrypt the data, the ciphertexts 
being generated by encrypting the content key 
using each selected key, and (ii) identification 
information for identifying the selected keys, 
and wherein 

each reproducing device stores N keys as- 
signed thereto, selectively decrypts one of the 
ciphertexts that is decryptable using a key iden- 
tified by the identification information to obtain 
the content key, and decrypts the data using the 
thus obtained content key to reproduce a con- 
tent. 

18. A computer readable recording medium for use in 
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a key management device to manage keys, the 
keys being grouped into a plurality of key groups 
each of which is assigned to one of a plurality of 
reproducing devices, wherein 

each key is associated with a node forming at 5 
least one AMayer tree structure (N is 2 or a natural 
number greater than 2), 

each key group includes keys associated with 
a different group of nodes, each group of nodes be- 
ing a set of nodes located on a different path, in 10 
each tree structure : connecting a different node on 
the /V th layer and a node on the highest layer, the 
recording medium comprising: 

an accepting step for accepting information is 
designating a key group stored in one of the re- 
producing devices; 
a key selecting step for 

(1) invalidating each key in the designated 20 
key group, and 

(2) selecting non-invalid keys being imme- 
diately subordinate to each invalid key from 
among keys in the key groups that are as- 
signed to the other reproducing devices 25 
and each of which includes one or more 
invalid keys; and 

an encryption information generating step for 
generating encryption information that includes 30 
(i) ciphertexts corresponding to a content key 
that is used to encrypt the data, the ciphertexts 
being generated by encrypting the content key 
using each selected key, and (ii) identification 
information for identifying the selected keys, 35 
and wherein 

each reproducing device stores N keys as- 
signed thereto, selectively decrypts one of the 
ciphertexts that is decryptable using a key iden- 
tified by the identification information to obtain *o 
the content key, and decrypts the data using the 
thus obtained content key to reproduce a con- 
tent. 



19. A system comprising: 



45 



a plurality of recording devices for recording en- 
crypted data to a rewritable recording medium; 
a plurality of reproducing devices for decrypting 
and reproducing the encrypted data being re- so 
coded in the recording medium; and 
a key management device for managing keys, 
the keys being grouped into a plurality of key 
groups each of which is assigned to the plurality 
of recording devices and the plurality of repro- ss 
ducing devices, wherein 
the key management device includes: 



key storage means for storing the keys, 
wherein 

each key is associated with a node 
forming at least one AMayertree structure 
(N is 2 or a natural number greater than 2), 
and 

each key group includes keys asso- 
ciated with a different group of nodes, each 
group of nodes being a set of nodes locat- 
ed on a different path, in each tree struc- 
ture, connecting a different node on the AA h 
layer and a node on the highest layer; 

encryption information generating means for, 
upon receipt of information designating a key 
group assigned to one of the recording devices 
and/or one of the reproducing devices, 

(1) invalidating each key in the designated 
key group, 

(2) selecting non-invalid keys being imme- 
diately subordinate to each invalid key from 
among keys in the key groups that are as- 
signed to the other recording devices and/ 
or the other reproducing devices and each 
of which includes one or more invalid keys, 
and 

(3) generating encryption information that 
includes (i) at least one ciphertext corre- 
sponding to a content key that is used to 
encrypt the data, the ciphertexts being 
generated by encrypting the content key 
using each selected key, and (ii) identifica- 
tion information for identifying the selected 
keys; and 

encryption information recording means for re- 
cording the thus generated encryption informa- 
tion to the recording medium, 
each recording device includes: 

key group storing means for storing N keys, 
the /Vkeys being associated with nodes lo- 
cated on a path, in each tree structure, con- 
necting a node on the /V th layer to a node 
on the highest layer; 

content key decrypting means for reading 
the encryption information from the record- 
ing medium, identifying a key stored in the 
key group storing means using the identi- 
fication information, and decrypting the ci- 
phertext being decryptable with the thus 
identified key to obtain the content key; and 
content encrypting means for encrypting a 
content using the thus obtained content 
key, and record the resulting encrypted da- 
ta to the recording medium, and 
each reproducing device includes: 
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key group storing means for storing N 
keys, the A/keys being associated with 
nodes located on a path, in the tree 
structure, connecting a node on the /V th 
layer to a node on the highest layer; 5 
reproduction information obtaining 
means for obtaining the data generat- 
ed by encrypting the content using the 
content key, the ciphertext generated 
by encrypting the content key, and the to 
identification information for identify- 
ing the key used to encrypt the content 
key; 

content key decrypting means for se- 
lecting a key identified by the identifi- *5 
cation information from the keys 
stored in the key group storage 
means, and decrypting the ciphertext 
decryptable using the thus selected 
key to obtain the content key; and 20 
content reproducing means for de- 
crypting the data using the thus ob- 
tained content key to reproduce the 
content. 

25 

20. A rewritable recording medium having data gener- 
ated by encrypting a content using a content key, 
the data being recorded by a recording device stor- 
ing one of key groups, and read/reproduced by a 
reproducing device storing one of the key groups, 30 
wherein 

the key groups together include keys each of 
which is associated with a node forming an A/-layer 
tree structure (N is 2 or a natural number greater 
than 2), 35 

each key group includes keys associated with 
a different group of nodes, each group of nodes that 
is a set of nodes located on a different path, in the 
tree structure, connecting a different node on the 
/V th layer and a node on the highest layer, the re- *o 
cording medium comprising: 

a ciphertext area for storing at least one cipher- 
text generated by encrypting the content key 
using a selected key, the selected key being 45 
identical to a key stored in the recoding device 
and a key stored in the reproducing device; 
a selected key area for storing identification in- 
formation identifying the selected key used for 
encrypting the content key: and 50 
a data area for storing data recorded by the re- 
cording device, the data being decryptable us- 
ing the content key, the content key is obtained 
by decrypting the ciphertext using the key that 
is stored in the reproducing device and selected 55 
according to the identification information. 

21. A key management device for managing keys, the 



keys being grouped into a plurality of key groups 
each of which is assigned to one of a plurality of 
recording devices for recording encrypted data in a 
rewritable recording medium, and to one of a plu- 
rality of reproducing devices for decrypting the en- 
crypted data recorded in the recording medium to 
reproduce the data, the key management device 
comprising: 

key storing means key storage means for stor- 
ing the keys, wherein 

each key is associated with a node form- 
ing at least one /V-layer tree structure (N is 2 or 
a natural number greater than 2), and 

each key group includes keys associated 
with a different group of nodes, each group of 
nodes being a set of nodes located on a differ- 
ent path, in each tree structure, connecting a 
different node on the /V th layer and a node on 
the highest layer; 

encryption information generating means for, 
upon receipt of information designating a key 
group assigned to one of the reproducing de- 
vices, 

(1) invalidating each key in the designated 
key group, 

(2) selecting non-invalid keys being imme- 
diately subordinate to each invalid keyfrom 
among keys in the key groups that are as- 
signed to the other reproducing devices 
and each of which includes one or more 
invalid keys, and 

(3) generating encryption information that 
includes (i) ciphertexts corresponding to a 
content key that is used to encrypt the data, 
the ciphertexts being generated by en- 
crypting the content key using each select- 
ed key, and (ii) identification information for 
identifying the selected keys; and 

encryption information recording means for re- 
cording the thus generated encryption informa- 
tion in the recording medium. 

22. A recording device for recording encrypted data in 
a rewritable recording medium, the recording de- 
vice comprising: 

key group storing means for storing A/keys (N 
is 2 or a natural number greater than 2) : where- 
in 

the N keys are respectively associated 
with nodes forming an AMayertree structure to- 
gether with nodes with which keys stored in oth- 
er recording devices are associated, and 

the N keys are associated with a group of 
nodes that is a set of nodes located on a path, 
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in the tree structure, connecting a node on the 
/V th layer to a node on the highest layer; 
content key decrypting means for reading the 
encryption information from the recording me- 
dium, selecting a key stored in the key group 5 
storing means using identification information, 
and decrypting a ciphertext being decryptable 
with the thus selected key to obtain the content 
key, wherein 

the recording medium pre-stores encryp- 10 
tion information including at least the ciphertext 
encrypted using the selected key and the iden- 
tification information for identifying the selected 
key; and 

content encrypting means for encrypting a con- *5 
tent using the thus obtained content key, and 
record the resulting encrypted data to the re- 
cording medium. 

20 



25 



30 



35 



40 



45 



50 



55 



20 



BNSDOCID: <EP 1215844A2_L> 



EP 1 215 844 A2 




21 



BNSDOCIO: <EP. 



1215S44A2_L> 



EP 1 215 844 A2 



C\J 




^Reproducing 

IT) 

— Reproducing 

— Reproducing 
^ Reproducing 
r; Reproducing 



^ Reproducing 
Reproducing 



o 

2 Reproducing 
5 Reproducing 
^ Reproducing 
2 Reproducing 
^ Reproducing 
S Reproducing 
S Reproducing 
2 Reproducing 
2 Reproducing 



Device! 6 
Devicel 5 
Devicel 4 
Devicel 3 
Devicel 2 
Devicel 1 
Devicel 0 
Device9 
Device8 
Device7 « 
Device6 
Devices 
Device4 
Device3 
Device2 
Devicel 





CM 


CO 




LO 








V— 


L_ 


CD 


CD 




CD 


CD 




>. 






>^ 


03 


03 


03 


CTJ 


03 


— I 


-J 


—1 


— 1 


—1 



BNSDOCID: <EP 1 21 5844A2J_> 



22 



EP 1 215 844 A2 



FIG.3 



302 



Key Management Information 301 
303 / 304 

c± 



305 



Key ID 
Key 0 
Key M 
Key N 
Key I 
Key J 
Key K 



Key A 
Key B 
Key C 
Key D 



IK 1 



IK 7 
IK 8 



IK 16 



Key Data 



Parent Key ID 



1 1 



•11 



Key O 
Key O 
Key M 
Key M 
Key N 



Key I 
Key I 
Key J 
Key J 



Key A 



Key D 
Key D 



Key H 



Key State 
1 



0 



0 
0 



0 
0 



0 



0 



23 



BNSOOCID: <EP 121S844A2J_> 



EP 1 215 844 A2 



FIG.4 



302 



Key Management Information 401 

303 / 304 




305 
^ 



Key ID 
Key O 
Key M 
Key N 
Key I 
Key J 
Key K 



Key A 
Key B 
Key C 
Key D 



I K 1 



I K 7 
I K 8 



I K 16 



Key Data 



Parent Key ID 



1 1 



1 1 



Key O 
KeyO 
Key M 
Key M 
Key N 



Key I 
Key I 
Key J 
Key J 



Key A 



Key D 
Key D 



Key H 



Key State 
-1 



-1 



-1 



0 
0 



0 



24 



EP1 215 844 A2 



FIG.5 

501 




Selected Key List 504 



(Key 0) 


Ciphertext 


503 




Data 


502 



E (Content Key, Content)= 



25 

BNSDOClD:<EP 1215844A2_I_> 



EP 1 215 844 A2 



FIG.6 

601 



Selected Key List ^604 




(Key N, Key 1, Key C, IK 8) 




Ciphertext /-603 




E (Key N, Content Key)= ■ - • 

E ( IK 8, Content Key)= 




Data ^602 











605 



BNSDOCID: <EP 1215844A2_I_> 



26 



EP 1 215 844 A2 



FIG.7 



Key Information 701 


702 


/ I 03 






Key ID 


Key Data 


IK 1 




Key A 




Key 1 




Key M 




Key 0 





27 



EP 1 215 844 A2 
FIG.8 





S810 



Key ID in Key Management 
Info. Match Designated Key ID? 



S820 
— < 




S816 



Change Key State of 

Current Key to 
1 



S814 



Change Key State of 
Current Key to "1" 



T 



N 



S818 



S822 



N 




S824 



C End ) 



28 



EP 1 215 844 A2 



o 

CD 



CO 

O 
cn 



LL. CD 



O 
CD 




Reproducing Device 1 6 
Reproducing Devicel 5 
Reproducing Devicel 4 
Reproducing Devicel 3 
Reproducing Devicel 2 
Reproducing Devicel 1 
Reproducing Devicel 0 
Reproducing Device9 
Reproducing Device8 
Reproducing Device7 
Reproducing Device6 
Reproducing Device5 
Reproducing Device4 
Reproducing DeviceS 
Reproducing Device2 
Reproducing Devicel 



CD 



OJ 
0) 
03 



CO 
Q) 
03 



BNSDOCID: <EP 12l5844A2J_> 



29 



EP 1 215 844 A2 



1002 



FIG.10 

Key Management Information 1 001 

1004 



1003 
^ 



1005 



Key ID 
Key I 
Key A 
Key B 
IK 1 



IK 2 



IK 3 



IK 4 

Key J 
KeyC 
Key D 
IK 5 



IK 6 



IK 7 



IK 8 

Key K 
Key E 



IK 12 
Key L 



IK 16 



Key Data 



Parent Key ID 



11 • 



1 1 



Key I 
Key I 
Key A 
Key A 
Key B 
Key B 
11 ♦••11 
Key J 
Key J 
KeyC 
KeyC 
Key D 



Key D 



1 1 



-11 



KeyK 



Key F 



1 1 



1 1 



Key H 



Key State 



1 



0 
0 
0 



0 



0 



0 
0 



u 



0 



0 



30 



EP 1 21 5 844 A2 



FIG.1 1 



1 102 



Comparison Table 1101 
1103 1104 / 1105 



1 106 



No. of Tree 
Structures 


No. of 
Keys 


No. of Reproduc- 
ing uevices 
Misused 


No. of Selected Keys 
=No. of Ciphertexts 


No. of Keys Assigned to 
One Reproducing Device 






0 


1 




1 


31 


1 


4 


5 






2 


6 








0 


2 




2 


30 


1 


4 


4 






2 


6 








0 


4 




4 


28 


1 


5 


3 






2 


6 








0 


8 




8 


24 


1 


8 


2 






2 


8 





1215844A2_I_> 



31 



EP 1 215 844 A2 



CD 

u 
*> 

CD 

Q 

co 
E 
*o 

"D 
O 

CL 
CD 



\ 



CD 
C 

"o 

=3 
T3 
O 
k_ 
CL 
CD 



lo 

CO 



\ 



CO 

_c 
a. 

a 
cu 
O 

c 

CD 



O 

o 

TFT 



c e 



ou- 



co 



\ 



>^£= 

a> ID 

* CD 

c — 

CJ> CD 

o 



CO 
CO 



CO 

c 

*.*-» 
CJ 
CD 

<D 

>> 
CD 



CO 



\ 



— > 



CD 
CD 
CO 

o 
>^ 

CD 



Receiving Unit 



CvJ 



a? 
u 

*> 

CD 
Q 
+-> 

c 

CD 

E 

a) 

CO 

ro 
c 



CD 



CJ 
CXI 




Multiplexing/Transmitting Unit 
* 



V 



O) 

4— » 

CL 



c 

CD 
+-» 

c 
o 



CvJ 



v O 



CO 



V 



>» "c 

CD ZD 
* CO 

CJ <D 



\ 



— # 



CD 




D) 




CT3 








o 






4-» 


4— ' 

c 


'c 


CD 




4— » 




c 




o 




o 





\ 









'cz 


-1 — ' 


CD 


cr 


<r> 


QJ 


o> 


E 


CO 
1 


a> 


o 


CD 




CO CO 


Man 


tion 




CO 




E 








o 







CO 



co 4-^ 
O) CO 

S 



/ 



OO 



CD 
_C 

CD 
CD 

>> 

CD 



\ 



CO 



cl 

CD 
O 
CJ 

< 



32 



BNSDOCID: <EP. 



.1215e44A2_l_> 



EP 1 215 844 A2 



FIG.13 



S1326 



N 



(invalid Key Restoring Processing) 

^S1302 

Key IDs to be 
.Restored Designated?. 

SI 304 
SI 306 



SI 308 





Y 

t ^ 


I.I 1 


> 




1-1 1 








,S1 3 1 2 

Change Key State of jth Key on Layer i to "1 " ) 



S1314 




Change Key State of Current Key to "0" j 



Change Key State of Current Key to "1 ' 



SI 330 



N 



j=1 



N 




SI 324 



SI 328 



C End ) 



33 



BNSDOCID: <EP 12 1 5B44A2_I_> 



EP 1 215 844 A2 




£j Reproducing Device20 



r; Reproducing Device 1 9 



r; Reproducing Device 18 



^ Reproducing Device 1 7 





Reproducing 


Device 1 6 




Reproducing 


Device! 5 




Reproducing 


Device 1 4 


CO 


Reproducing 


Device 1 3 




Reproducing 


Device! 2 




Reproducing 


Device! 1 


o 


Reproducing 


Devicel 0 


cn 


Reproducing 


Devices 


oo 


Reproducing 


Device8 




Reproducing 


Device7 





(XI 


CO 




LO 




L_ 


L_ 




i_ 




CD 


CD 




CD 


>> 


>> 


>> 


>^ 




to 


CD 


TO 




TO 


— i 


— 1 


-J 




-J 



34 



EP 1 215 844 A2 



LO 




CD 



o 
o 



35 



BNSDOCID: <EP_ 



_1215844A2J_> 



EP1 215 844 A2 




36 



BNSDOCID: <EP 1215844A2J_> 



EP 1 215 844 A2 




37 



BNSDOCID: <EP 1215844A2_I_> 



THIS PAGE BLANK (uspto) 



